Groups | Blog | Home
all groups > dotnet web services enhancements > june 2006 >

dotnet web services enhancements : SecureConversation


Eric Quist
6/26/2006 7:03:01 AM
Hi
Is it possible for the client to decide whether to do encryption and signing
of messages? If so, how do I do it?
Background: I got a webservice that is called from winform clients for whom
I want encrypt and sign the messages. The webservice is also called by
another webservice and in that situation I don’t want to encrypt and sign the
message, because that is not necessary.
Eric Quist
6/26/2006 7:07:02 AM
The subject got a little bit wrong there because I changed the question, but
forgot to change the subject.

I might also want the client to control if SecureConversation should be used
or not for the same reason as below.

/Eric

[quoted text, click to view]
Eric Quist
6/26/2006 11:16:02 AM
Thanks for your fast answer. I thought it was like that, but hoped for
another answer. ;)

/Eric

[quoted text, click to view]
Pablo Cibraro
6/26/2006 11:25:35 AM
Hi Eric,

WSE uses a set of pre-defined scenarios to specify the security
requeriments.
These scenarios are called turn-key scenarios, and they are implemented by
security assertions.

You can find a description of each security assertion provided by WSE in
this article,
http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx?pull=/library/en-us/dnwse/html/newwse3.asp

By default, all the assertions that use message security sign the messages
and optionally encrypt it (It is a configuration setting). The same happens
with security conversation, it is a configuration setting in these
assertions.

However, you can develop your own custom assertion and specify the security
requirements for that assertion (Signing, Encryption, Security
Conversation).

The client and the service, both must use the same security assertion, and
you can specify that assertion by means of code (Attribute) or configuration
(Policy file).
You can not call a secured web service from an unsecured client or web
service. Therefore, you should have two different implementations of the
same web service, a plain version and a secure one. (The same for security
conversation, the client and the service must agree on the use of this
feature).

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax


[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about dotnet web services enhancements
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn